AdmitOne Security uses keystroke identification to screen users

September 4, 2008 6:00 AMDean Takahashi

Identity thieves are everywhere. A teenager snatched the login of his real-estate agent father and threw wild parties at homes that were up for sale. Students get someone else to take a test for them. Loan officers get hacked and the profiles of 7,000 of their customers are stolen.

This is the problem that AdmitOne Security is trying to solve. It uses the novel technology of keystroke identification. That is, it uses software to detect the patterns of the way someone types in their username and password. Then it compares that to past records and determines whether it’s really you logging in. The recognition is nearly instant and it adds an accurate factor for authentication.

“Even if you stole somebody’s username and password, we can figure out if you’re not really that person,” said Matt Shanahan, senior vice president of marketing and strategy at the Issaquah, Wash.-based company.

The company is targeting the technology at businesses, but it could eventually trickle down to consumers. Besides the typing authentication, the company also uses IP address verification and computer device identification. This so-called risk-based authentication — where three factors are used to identify someone — is becoming more popular because of growing identity theft scams.

The keystroke identification is important. Other means of identifying someone, such as voice recognition, aren’t always convenient. When you’re logging into a laptop, you may not always be easy to reach on the phone for the verification call.

The authentication works, judging by the company’s 50 percent growth in the six months. AdmitOne now has more than 125 customers who pay $25,000 a year and up, based on the number of users they screen. The company says it has a 25 percent increase in customers this year and a 60 percent increase in its average selling price. There are 38 financial institutions among the customers. (The chart above shows the differences in typing patterns between a user and an imposter.)

Shanahan said that the technology can scale to screen millions of users. The technology came from a some longstanding research. The U.S. National Science Foundation funded a research project at the Rand Corp. in 1980 about computer security and keystroke dynamics. SRI International took up the research into typing rhythms. The SRI technology was able to identify users with 98 percent accuracy. The company acquired the patents in 2002 and applied its own engineering to the problem and came up with something that worked.

With just 12 keystrokes, the software can recognize a user. On those keystrokes, the software records 47 different measurements. Among the important measurements are “dwell time,” or the amount of time someone holds down a key. And another is “flight time,” or the time between keystrokes. Yes, I’m afraid that we all have “typing signatures.” I myself have to pause my keystrokes now and then while my brain stops working.

The Stanford keystroke recognition technology by itself wasn’t good enough to catch everything. But used in combination with other authentication means, it’s pretty effective, Shanahan said. The company was founded in 2005 under the name BioPassword. It was rebranded as Admit One in April.